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Abstract:  We  propose  and  analyze  a  class  of  trust 
management  protocols  for  encounter-based  routing  in 
delay  tolerant  networks  (DTNs).  The  underlying  idea  is 
to  incorporate  trust  evaluation  in  the  routing  protocol, 
considering  not  only  quality-of-service  (QoS)  trust 
properties  (connectivity)  but  also  social  trust  properties 
(honesty  and  unselfishness)  to  evaluate  other  nodes 
encountered.  Two  versions  of  trust  management 
protocols  are  considered:  an  equal-weight  QoS  and 
social  trust  management  protocol  (called  trust-based 
routing)  and  a  QoS  only  trust  management  protocol 
(called  connectivity-based  routing).  By  utilizing  a 
stochastic  Petri  net  model  describing  a  DTN  behavior, 
we  analyze  the  performance  characteristics  of  these  two 
routing  protocols  in  terms  of  message  delivery  ratio, 
latency,  and  message  overhead.  We  also  perform  a 
comparative  performance  analysis  with  epidemic  routing 
for  a  DTN  consisting  of  heterogeneous  mobile  nodes 
with  vastly  different  social  and  networking  behaviors. 
The  results  indicate  that  trust-based  routing  approaches 
the  ideal  performance  of  epidemic  routing  in  delivery 
ratio,  while  connectivity-based  routing  approaches  the 
ideal  performance  in  message  delay  of  epidemic  routing, 
especially  as  the  percentage  of  selfish  and  malicious 
nodes  present  in  the  DTN  system  increases.  By  properly 
selecting  weights  associated  with  QoS  and  social  trust 
metrics  for  trust  evaluation,  our  trust  management 
protocols  can  approximate  the  ideal  performance 
obtainable  by  epidemic  routing  in  delivery  ratio  and 
message  delay  without  incurring  high  message  overhead. 

Key  words;  delay  tolerant  networks,  opportunistic 
routing,  social  trust,  QoS  trust,  social  networks, 
performance  analysis,  stochastic  Petri  nets. 

1.  Introduction 

A  delay  tolerant  network  (DTN)  provides 
interoperable  communications  through  mobile  nodes 
with  the  characteristics  of  high  end-to-end  path  latency, 
frequent  disconnection,  limited  resources  (e.g.,  battery, 
computational  power,  bandwidth),  and  unreliable 
wireless  transmission.  Further,  for  DTNs  in  mobile  ad 
hoc  network  (MANET)  environments,  we  also  face 
additional  challenges  due  to  a  lack  of  centralized  trust 
entity  and  this  increases  security  vulnerability  [5].  For  a 
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sparse  MANET  DTN,  mobility-assisted  routing  based  on 
store-carry-and-forward  method  has  been  used.  That  is, 
a  message  carrier  forwards  a  message  to  an  encountered 
node  until  the  message  reaches  a  destination  node.  In 
MANET  DTN  environments,  it  is  important  to  select  a 
trustable  node  as  a  next  message  carrier  among  all 
encountered  nodes  to  minimize  delay  for  a  message  to 
reach  a  destination  node  as  well  as  to  maximize  the 
message  delivery  ratio.  In  this  paper,  we  consider  a 
MANET  DTN  in  the  presence  of  selfish  and  malicious 
nodes  and  propose  a  family  of  trust  management 
protocols  for  encounter-based  routing  to  select  a  highly 
trustable  next  message  carrier  with  the  goals  of 
maximizing  the  message  delivery  ratio  without  incurring 
a  high  delay  or  a  high  message  overhead. 

In  the  literature,  DTN  routing  based  on  encounter 
patterns  has  been  investigated  [2,  10,  11].  However,  if 
the  predicted  encounter  does  not  happen,  then  messages 
would  be  lost  for  single-copy  routing,  or  flooded  for 
multi-copy  routing.  Moreover,  these  approaches  could 
not  guarantee  reliable  message  delivery  due  to  the 
presence  of  selfish  or  malicious  nodes.  The  vulnerability 
of  DTN  routing  to  node  selfishness  was  well  studied  in 
[7].  Several  recent  studies  [12,  14,  15]  considered  using 
reputation  in  selecting  message  carriers  among 
encountered  nodes  for  DTNs.  Nevertheless,  [12,  14] 
assumed  that  a  centralized  entity  exists  for  credit 
management,  and  [15]  merely  used  reputation  to  judge  if 
the  system  should  switch  from  reputation-based  routing 
to  multipath  routing  when  many  selfish  nodes  exist. 

There  is  very  little  research  to  date  on  the  social 
aspect  of  trust  management  for  DTN  routing.  Social 
relationship  and  social  networking  were  considered  as 
criteria  to  select  message  carriers  in  a  DTN  MANET  [6, 
8].  However,  no  consideration  was  given  to  the  presence 
of  malicious  or  selfish  nodes.  Very  recently  [9] 
considered  routing  by  socially  selfish  nodes  in  DTNs, 
taking  into  consideration  the  willingness  of  a  socially 
selfish  node  to  forward  messages  to  the  destination  node 
because  of  social  ties.  Unlike  prior  work  cited  above,  in 
this  paper,  we  combine  the  notion  of  social  trust  and 
QoS  trust  into  a  composite  trust  metric  for  determining 
the  best  node  among  the  new  encounters  for  message 
forwarding.  We  consider  honesty  and  unselfishness  for 
social  trust  to  account  for  node  trustworthiness  for 
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message  delivery,  and  connectivity  for  QoS  trust  to 
account  for  node  capability  to  quickly  deliver  the 
message  to  the  destination  node.  By  assigning  various 
weights  associated  with  these  QoS  and  social  trust 
properties,  we  form  a  class  of  DTN  routing  protocols, 
from  which  we  examine  two  versions  of  the  trust 
management  protocol  in  this  paper:  an  equal- weight  QoS 
and  social  trust  management  protocol  (called  trust-based 
routing  for  short)  and  a  QoS  trust  only  management 
protocol  (call  connectivity-based  routing  for  short).  We 
analyze  and  compare  the  performance  characteristics  of 
trust-based  routing  and  connectivity-based  routing 
protocols  with  epidemic  routing  [13]  for  a  DTN 
consisting  of  heterogeneous  mobile  nodes  with  vastly 
different  social  and  networking  behaviors.  The  results 
indicate  that  our  trust-based  routing  protocol  approaches 
the  ideal  performance  of  epidemic  routing  in  delivery 
ratio,  while  connectivity-based  routing  approaches  the 
ideal  performance  of  epidemic  routing  in  message  delay, 
as  the  percentage  of  selfish  and  malicious  nodes  present 
in  the  DTN  system  increases.  All  DTN  routing  protocols 
in  the  class  significantly  outperform  epidemic  routing  in 
message  overhead. 

2.  System  Model 

We  consider  a  MANET  DTN  environment  with  no 
centralized  trust  authority.  Nodes  communicate  through 
multi-hops.  Every  node  may  have  a  different  level  of 
energy  and  speed  reflecting  node  heterogeneity.  We 
differentiate  selfish  nodes  from  malicious  nodes.  A 
selfish  node  acts  for  its  own  interest.  So  it  may  drop 
packets  arbitrarily  just  to  save  energy  but  it  may  decide 
to  forward  a  packet  if  it  has  good  social  ties  with  the 
destination  node.  A  malicious  node  acts  maliciously 
with  the  intention  to  disrupt  the  main  functionality  of  the 
DTN,  so  it  can  drop  packets,  jam  the  wireless  channel, 
and  even  forge  false  packets.  To  deal  with  malicious 
nodes,  we  assume  that  a  distributed  intrusion  detection 
system  (IDS)  exists  for  detecting  malicious  nodes.  As 
soon  as  a  malicious  node  is  detected  by  IDS,  the 
malicious  node  will  be  made  known  to  all  nodes,  which 
will  set  the  trust  value  of  the  malicious  node  to  zero  and 
thus  exclude  it  as  a  message  carrier  for  message 
forwarding.  Since  there  is  no  perfect  IDS,  we 
characterize  the  distributed  IDS  by  its  false  positive  and 
false  negative  probabilities  for  which  less  than  1%  is 
deemed  acceptable.  A  node  initially  may  be  healthy  but 
compromised  through  capture  for  example.  Once  a  node 
is  compromised,  it  is  a  malicious  node.  In  the  paper,  we 
will  use  the  terms  malicious  node  and  compromised 
node  interchangeably. 

We  consider  the  following  node  behavior  model. 
The  energy  level  of  a  node  is  related  with  the  speed  at 
which  the  node  may  be  compromised.  That  is,  a  node  is 
more  likely  to  be  compromised  when  it  has  low  energy 
and  vice  versa  since  a  node  with  high  energy  is  more 


capable  of  defending  itself  against  attackers  by 
performing  energy-consuming  defense  mechanisms.  If  a 
node  is  selfish,  the  speed  of  energy  consumption  is 
slowed  down  and  vice  versa.  If  a  node  becomes 
compromised  but  not  detected  by  IDS,  the  speed  of 
energy  consumption  will  increase  since  the  node  may 
have  a  chance  to  perform  attacks  which  may  consume 
more  energy.  We  also  consider  redemption  mechanism 
for  a  selfish  node  to  have  a  second  chance.  That  is,  a 
selfish  node  may  become  unselfish  again  socially  upon 
learning  status  of  other  neighbor  nodes. 

A  node’s  trust  value  is  assessed  based  on  direct 
observations  and  indirect  information  like 
recommendations.  The  trust  of  one  node  toward  another 
node  is  updated  upon  encounter  events.  Our  trust  metric 
consists  of  two  trust  types:  QoS  trust  and  social  trust. 
QoS  trust  is  evaluated  through  the  communication  and 
information  networks  by  the  capability  of  a  node  to 
deliver  messages  to  the  destination  node.  We  consider 
connectivity  to  measure  the  QoS  trust  level  of  a  node. 
Social  trust  is  based  on  social  relationships.  We  consider 
unselfishness  (or  cooperation)  and  honesty  (or 
healthiness)  to  measure  the  social  trust  level  of  a  node. 
Different  from  most  existing  encounter-based  routing 
protocols  which  considered  only  connectivity,  we 
consider  social  trust  in  additional  to  QoS  trust  in  order  to 
select  more  faithful  message  carriers  among  encountered 
nodes.  We  define  a  node’s  trust  level  as  a  real  number  in 
the  range  of  [0,  I],  with  I  indicating  complete  trust,  0.5 
ignorance,  and  0  complete  distrust. 

3.  Trust  Management  for  Message  Routing 

The  trust  value  of  node  j  as  evaluated  by  node  i  at 
time  /,  denoted  as  r,y  (t) ,  is  computed  by  a  weighted 
average  of  connectivity,  honesty,  and  unselfishness  trust 
components.  Specifically  node  i  will  compute  Tij  (t)  by: 

+  (t) 

+  W3ri°""'"  (0 

,  rp  unself  is  hness  ^ 

-f-  W4  /j.y 

where  Wj :  W2 :  W3 :  W4  is  the  weight  ratio  with  W1+W2  + 
W3  +  W4  =  1 .  Of  these  trust  components  (or  properties) 
in  Equation  1,  7;^^-conncctiwty  about  node  i’s  belief 

in  node  /’s  encounter  connectivity  to  node  j,  representing 
the  delay  of  node  /  passing  the  message  to  node  J, 
jd-connectivity  about  node  /’s  belief  in  node  fs 

connectivity  to  the  destination  node  representing  the 
delay  of  node  j  passing  the  message  to  node  d, 
jhonesty  about  node  i’s  belief  in  node  y’s  honesty, 

and  (t)is  about  node  i’s  belief  in  node  y’s 

cooperation.  In  message  forwarding  in  DTNs,  two  most 
important  performance  metrics  are  message  delivery 
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ratio  and  delay.  The  rationale  of  using  these  four  trust 
metrics  is  to  rank  nodes  such  that  high  (f) 

and  (t)  represent  low  delay,  while  high 

it)  and  represent  high  delivery 

ratio.  We  set  T™ectMty  -connectivity 

jhonesty^^^  and  (Q)  to  ignorance  since 

initially  there  is  no  information  exchanged  among  nodes. 
When  node  i  encounters  another  node,  say  node  m,  it 
exchanges  its  encounter  history  with  node  m  and  uses 
node  w  as  a  recommender  to  update  its  beliefs  toward 
node  j  as  follows: 

=  Pi  '  ""(t)  +  p2  •  \t)  (2) 


where  X  refers  to  a  trust  property  ^e-connectivity,  d- 
connectivity,  honesty,  or  unselfishness)  with: 


T  direct.  ^ 

(  (£  -  At),  ifm^j 

(3) 

j<indirect  ,  X  _  j 

C  m=  j 

(4) 

In  Equation  2,  pi  is  a  weight  parameter  to  weigh 
node  /’s  own  trust  assessment  toward  node  j  at  time  /, 
i.e.,  “self- information,”  and  pi  is  a  weight  parameter  to 
weigh  indirect  information  from  the  recommender,  i.e., 
“other-information,”  with  +  ^2  ”  1-  Equation  3,  if 
the  new  encounter  (node  m)  is  node  j  itself,  node  /  can 
directly  observe  trust  properties  of  node  j.  We  use 
"^(t)  to  denote  the  assessment  result  of  node  / 
toward  node  m  in  trust  property  X  based  on  direct 
observations.  Later  in  Section  4,  we  will  describe  how 
this  can  be  obtained  using  node  /’s  knowledge  toward  a 
newly  encountered  node.  If  the  new  encounter  m  is  not 
node  y,  we  use  node  /’s  belief  in  node  j  as  evaluated  at 
time  /-At,  corresponding  to  the  belief  of  node  /  toward 
node  y  based  on  past  interaction  experiences  prior  to  time 
/,  as  the  basis  of  direct  observations  for  node  /  to  further 
evaluate  node  j  at  time  /.  Here  At  refers  to  the  duration 
between  two  encounter  times.  In  Equation  4,  if  the  new 
encounter  m  is  node  j  itself,  then  there  is  no  indirect 
recommendation  information,  so  node  /  will  just  use  its 
trust  information  obtained  at  time  /-At.  If  the  new 
encounter  mis  not  node  y,  then  node  m  will  provide  its 
recommendation  to  node  /  for  evaluating  node  y,  and  we 
must  take  node  fs  belief  in  node  m  into  consideration  in 
the  calculation  of  Equation  4.  This  models  the  decay  of 
trust  as  trust  is  derived  from  a  distant  node  as  indirect 
information. 

Tij  (t)  in  Equation  1  can  be  used  by  node  /  (if  it  is  a 
message  carrier)  to  decide,  upon  encountering  node  m,  if 
it  should  forward  the  message  to  node  m  with  the  intent 
to  shorten  the  message  delay  and  improve  the  message 
delivery  ratio.  We  consider  a  Q-permissible  policy  in 
this  paper,  i.e.,  node  i  will  pass  the  message  to  node  m  if 


Timif)  is  in  the  top  Q  percentile  among  all  (t)'s.  We 
experiment  with  various  values  of  Q  to  trade  message 
delivery  ratio  with  message  latency. 

4.  Performance  Model 

We  analyze  the  performance  of  the  proposed  trust- 
based  routing  protocol  for  DTN  message  forwarding  by 
a  probability  model  based  on  stochastic  Petri  net  (SPN) 
techniques  [4]  due  to  its  ability  to  handle  a  large  number 
of  states.  The  SPN  model  is  shown  in  Figure  I.  The  SPN 
model  describes  a  node’s  lifetime  in  the  presence  of 
selfish  and  malicious  nodes,  and  IDS  to  detect  malicious 
nodes.  It  is  used  to  obtain  each  node’s  information  (e.g., 
connectivity,  honesty,  and  unselfishness)  and  to  derive 
the  trust  relationship  with  other  nodes  in  the  system. 
Without  loss  of  generality,  we  consider  a  square-shaped 
operational  area  consisting  of  sub-grid  areas  with 
the  width  and  height  equal  to  wireless  radio  range  {R). 
Initially  nodes  are  randomly  distributed  over  the 
operational  area  based  on  uniform  distribution.  A  node 
randomly  moves  to  one  of  four  locations  in  four 
directions  (i.e.,  north,  west,  south,  and  east)  in 
accordance  with  its  mobility  rate.  To  avoid  end-effects, 
movement  is  wrapped  around  (i.e.,  a  torus  is  assumed). 
The  SPN  model  produces  the  probability  that  node  /  is  at 
a  particular  location  L  at  time  /.  This  information  along 
with  the  location  information  of  other  nodes  at  time  / 
provides  us  the  probability  of  two  nodes  encountering 
with  each  other,  and  how  often  two  nodes  exchange 
encounter  histories  to  update  (t). 
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Below  we  explain  how  we  construct  the  node  SPN 
subnet  for  describing  a  node’s  behavior  in  terms  of  its 
location,  energy  level,  degree  of  honesty  (e.g.,  whether 
or  not  a  node  is  compromised  or/and  detected  by  IDS), 
and  degree  of  selfishness. 

Location:  Transition  T  LOCATION  is  triggered 
when  the  node  moves  to  a  randomly  selected  area  out  of 
four  different  directions  from  its  current  location  with 
the  rate  calculated  as  a{t)/R  based  on  its  speed  a(/)  at 
time  /  and  wireless  radio  range  {R).  The  speed  at  time  /  is 
linearly  proportional  to  its  remaining  energy,  calculated 
as  oo  ^  ^remain  ^^0  where  ao  is  the  initial  speed,  Eo  is 
the  initial  energy  and  E^emam  the  remaining  energy 
given  by  mark(Energy). 
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Connectivity:  Connectivity  of  node  j  to  the 
destination  node  d  is  measured  by  the  time-averaged 
probability  that  node  j  and  node  d  are  within  one-hop 
during  [/-nAt,  t],  modeling  not  only  chances,  but  also 
recency  of  encountering  events  between  node  j  and  node 
d.  This  can  be  obtained  by  knowledge  of  location 
probabilities  of  node  j  and  node  d  during  [r-nAt,  t]. 

Energy:  Place  Energy  represents  the  current  energy 
level  of  a  node.  An  initial  energy  level  of  each  node  is 
assigned  according  to  node  heterogeneity  information.  A 
token  is  taken  out  when  transition  T_ENERGY  fires. 
The  transition  rate  of  T_ENERGY  is  adjusted  on  the  fly 
based  on  a  node’s  state.  It  is  lower  when  a  node  is  selfish 
to  save  energy;  it  is  higher  when  the  node  becomes 
compromised  so  that  it  performs  attacks  more  and 
consumes  energy  more.  We  use  the  energy  model  in  [3] 
to  adjust  the  rate  to  consume  one  token  in  place  Energy 
based  on  a  node’s  state. 

Honesty:  A  node  is  compromised  when  transition 
T_COMPRO  fires.  The  transition  rate  to  transition 
T_COMPRO  is  modeled  as  ^/Tcomp  with  the  interval 
Tcomp  =  ai{mark{Energy)  +  iy /Xcom  where 
is  the  node  compromise  rate  initially  given,  and 
mark{Energy)  indicates  the  level  of  current  energy.  In 
practice  Acom  derived  from  the  first-order 

approximation  of  the  attack  history  collected  by  IDS. 
The  two  parameters  and  e  are  used  to  model  the 
behavior  of  node  compromise  such  that  if  the  node  has 
low  energy,  it  is  more  likely  to  become  compromised, 
and  vice  versa.  If  the  node  is  compromised,  a  token  goes 
to  UCN,  meaning  that  the  node  is  being  compromised 
but  not  yet  detected  by  IDS.  While  the  node  is  not 
detected  by  IDS,  it  has  a  chance  to  perform  attacks.  If  a 
compromised  node  is  being  detected  by  IDS,  a  token  is 
taken  out  from  UCN  into  DCN  and  the  node  is  evicted 
immediately.  We  model  a  DTN  equipped  with  IDS 
characterized  by  false  alarm  probabilities.  A  false 
negative  probability  (P/n^)  of  IDS  is  considered  in 
T_IDS  which  has  the  rate  of  (l  —  Pfn^)/T'iDS  and  a  false 
positive  probability  ( P/p  ^ )  of  IDS  is  considered  in 
T_IDSFA  which  has  the  rate  of  P/p^/T/D5- 

Selfishness:  Place  SN  represents  whether  a  node  is 
selfish  or  not.  If  a  node  becomes  selfish,  a  token  goes  to 
5A^by  triggering  T_SELFISH.  A  node’s  selfish  behavior 
is  a  function  of  its  remaining  energy.  Specifically,  the 
transition  rate  to  T_SELF1SH  is  given  by: 

rate(J  SELFISH)  =  ^ 

where  At  is  the  duration  between  two  encountering 
events  over  which  a  node  may  decide  to  become  selfish. 
The  form  f{y)  =  follows  the  demand-pricing 

relationship  in  Economics  [1]  to  model  the  effect  of  its 
argument  y  on  the  selfishness  behavior,  such  that 
fiEremain  )  n^odels  the  behavior  that  a  node  with  a 


higher  level  of  energy  is  less  likely  to  be  selfish. 
Similarly  a  selfish  node  may  become  unselfish  again 
through  transition  T_REDEMP.  The  redemption  rate  is 
modeled  in  a  similar  way  as: 


rate(T_REDEMP)  = 


S^^consumed  ) 


At 


(6) 


where  g(y)  =  and  Econsumed  the  amount  of 

energy  consumed  as  given  by  Eq  —  Ej-cmain  At  is  the 
encountering  interval  over  which  a  selfish  node  may 
decide  to  become  unselfish  again.  g{Econsumed  )  models 
the  behavior  that  a  node  with  a  lower  level  of  energy 
will  more  likely  stay  selfish  to  further  save  its  energy 
considering  its  own  individual  benefit. 

With  the  node  behaviors  modeled  by  the  SPN  model 
described  above  we  can  calculate  as  follows. 

When  node  i  encounters  node  m,  node  /  will  perform 
direct  trust  assessment  toward  node  m  in  trust  property  X 
to  yield  Because  node  /  and  node  m  are 

within  I -hop  upon  encounter,  node  /  has  exact 
knowledge  about  whether  node  m  is  selfish  or  not 
through  status  exchange,  snooping  and  overhearing. 
Hence  node  /’s  direct  assessment  in  node  w’s  selfishness 
at  the  encounter  time  t  is  exactly  the  same  as  the 
selfishness  status  node  m  at  time  t.  Consequently, 

^encounter  ,  unself  is  hness  Equation  3  is  simply 

equal  to  the  probability  that  place  SN  does  not  contain  a 
token  at  time  t,  which  we  can  compute  easily  from  the 
SPN  output.  Similarly,  (t)  can 

be  computed  by  the  time-averaged  probability  that  node 
i  and  node  m  are  within  one-hop  during [t  —  nAt,  t],  and 
^^counter  ,  d -connectivity  time-avCraged 

probability  that  node  m  and  node  d  are  within  one-hop 
during  [t-nAt,  t],  utilizing  the  SPN  output  regarding  the 
node  location  probability  at  time  t.  For  the  honesty  trust 
component,  node  /  knows  node  m  is  malicious  only 
when  IDS  detects  it  and  announces  a  message  to  the 
system,  i.e.,  when  node  w’s  place  DCN  (in  Figure  1)  is 
not  zero.  Thus,  we  can  compute  7^  ^  (t) 

by  the  probability  that  place  DCN  in  node  m  contains  a 
token  at  time  t.  Once  (f )  is  obtained  at  each 

encounter  time,  node  /  can  update  its  (t)  based  on 
Equation  2,  and  subsequently,  can  obtain  Tij  (t)  based  on 
Equation  1. 

5.  Results 


Table  1:  Default  parameter  values  used. 
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Below  we  show  numerical  results  and  provide 
physical  interpretation  of  the  results  obtained.  Table  1 
lists  the  default  parameter  values  used.  For  trust-based 
routing,  we  set  Wi:w2:w3:w4  =  0.25:0.25:0.25:0.25  for 
e-connectivity:  d-connectivity:  honesty:  unselfishness, 
while  for  connectivity-based  routing,  we  set 
Wi:  W2:W3:  W4  =  0.5:0.5:0:0.  We  setup  20  nodes  with 
vastly  different  initial  energy  levels  in  the  system 
moving  randomly  in  a  8x8  operational  region  with  the 
mobility  in  the  range  of  (0,  2]  m/s  and  with  each  area 
covering  250  m  radio  radius.  Good  nodes  are  the  ones 
with  the  compromise  rate  being  0  and  the  selfish  rate 
being  zero.  Selfish  nodes  are  the  ones  with  the  selfish 
rate  defined  based  on  Equation  5  and  redemption  rate 
defined  by  Equation  6.  Bad  nodes  have  a  non-zero 
compromise  rate  Acom  the  range  of  [l/480min., 
l/160min.],  allowing  bad  nodes  to  transit  from  healthy 
nodes  to  malicious  nodes.  We  use  all  encounters  as  the 
recommenders.  The  initial  trust  level  is  set  to  ignorance 
(i.e.,  0.5)  for  all  trust  properties. 

To  reveal  which  trust  component  might  have  a 
more  dominant  effect,  we  show 

T.^connectivity  and  /iness 


node  /  evaluating  node  j  randomly  picked.  Other  nodes 
exhibit  similar  trends  and  thus  only  one  set  of  results  is 
shown.  Figure  2  shows  these  trust  component  values  as  a 
function  of  time  t  with  the  compromise  rate  of  node  j 
ranging  from  once  per  480  min.  to  once  per  160  min.  We 
see  that  connectivity  dominates  other  trust  properties 
when  node y’s  compromise  rate  is  small.  However,  as  the 
compromise  rate  increases,  honesty  dominates  other 
trust  properties  as  the  percentage  of  malicious  nodes 
increases.  This  demonstrates  that  our  trust-based  routing 
protocol  for  encounter-based  message  forwarding 
reflects  dynamic  environmental  changes. 
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Figure  2:  Comparing  Tjj(t)  as  a  function  of  time 
with  respect  to  node y’s  compromise  rate. 

Next  we  consider  a  message  forwarding  scenario  in 
which  in  each  run  we  randomly  pick  a  source  node  s  and 
a  destination  node  d.  The  source  and  destination  nodes 
picked  are  always  good  nodes.  There  is  only  a  single 
copy  of  the  message  initially  given  to  node  s.  We  let  the 


system  run  for  30  min.  to  warm  up  the  system  and  start 
the  message  forwarding  afterward  in  each  run.  During  a 
message  passing  run,  every  node  /  updates  its  Ti  j  (t)  for 
all  j  based  on  Equation  1.  In  particular  the  current 
message  carrier  uses  Ti  j  (t)  to  judge  if  it  should  pass  the 
message  to  a  node  it  encounters  at  time  t.  If  the  message 
carrier  is  malicious,  the  message  is  dropped  (a  weak 
attack).  If  the  message  carrier  is  selfish,  the  message 
delivery  continues  with  50%  of  the  chance.  A  message 
delivery  run  is  completed  when  the  message  is  delivered 
to  the  destination  node,  or  the  message  is  lost  before  it 
reaches  the  destination  node.  Statistics  are  collected  for 
1 500  runs  from  which  the  message  delivery  ratio,  delay 
and  overhead  performance  measurements  are  calculated. 
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Figure  3:  Message  delivery  ratio:  comparing  trust- 
based  vs.  connectivity-based  and  epidemic  protocols. 


%  of  malicious  and  selfish  nodes 

Figure  4:  Message  delay:  comparing  trust-based  vs. 
connectivity-based  and  epidemic  routing  protocols. 

Figure  3  shows  the  message  delivery  ratio  as  a 
function  of  the  percentage  of  compromised  and  selfish 
nodes  in  the  DTN  for  trust-based  and  connectivity-based 
routing  protocols.  For  performance  comparison,  we  also 
show  the  delivery  ratio  obtained  from  epidemic  routing. 
Here  we  see  that  trust-based  routing  outperforms 
connectivity-based  routing  in  delivery  ratio  and  its 
performance  approaches  the  maximum  achievable 
performance  obtainable  from  epidemic  routing.  This  is 
attributed  to  the  ability  of  trust-based  protocols  being 
able  to  differentiate  healthy  nodes  from  selfish  or 
malicious  nodes  and  select  healthy  nodes  to  relay  the 
message.  The  result  demonstrates  the  effectiveness  of 
incorporating  social  trust  into  the  decision  making 
process  for  DTN  message  routing. 
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Figure  4  shows  the  average  delay  experienced  per 
message  considering  only  those  messages  delivered 
successfully.  Here  we  first  note  that  connectivity-based 
routing  will  always  perform  better  than  trust-based 
routing  because  connectivity-based  protocols  use  the 
delay  to  encounter  the  next  message  carrier  (e- 
connectivity)  and  the  delay  for  the  next  message  carrier 
to  encounter  the  destination  node  (d-connectivity)  as  the 
criteria  to  select  the  next  message  carrier.  The  result 
suggests  that  if  delay  is  of  primary  concern,  we  should 
set  the  weights  associated  with  e-connectivity  and  d- 
connectivity  (QoS  trust  metrics)  higher  than  those  for 
honesty  and  unselfishness  (social  trust  metrics),  as  what 
connectivity-based  routing  does  (by  setting 
Wi:  W2:  W3:  W4  =  0.5: 0.5: 0: 0).  This  will  have  the  effect  of 
trading  high  delivery  ratio  off  for  low  delay.  Figure  4 
also  shows  that  connectivity-based  routing  achieves  the 
ideal  performance  obtainable  from  epidemic  routing  as 
the  percentage  of  malicious  and  selfish  nodes  increases. 

Figure  5  compares  the  three  protocols  in  message 
overhead  measured  by  the  number  of  copies  forwarded 
to  reach  the  destination  node  for  those  messages 
successfully  delivered.  We  see  trust-based  protocols 
perform  comparably  with  connectivity-based  protocols 
and  both  protocols  considerably  outperform  epidemic 
routing  in  message  overhead. 
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Figure  5:  Number  of  copies  propagated  per  message. 
6.  Conclusion 

In  this  paper,  we  have  proposed  and  analyzed  a 
class  of  trust  management  protocols  for  encounter-based 
routing  in  DTNs.  The  most  salient  feature  of  our 
protocol  is  that  we  consider  not  only  connectivity  (QoS 
trust)  but  also  honesty  and  unselfishness  (social  trust) 
properties  into  a  composite  trust  metric  for  decision 
making  in  DTN  routing  dynamically.  Our  performance 
analysis  results  demonstrate  that  by  properly  selecting 
weights  associated  with  QoS  and  social  trust  metrics  for 
trust  evaluation,  our  trust  management  protocols  can 
achieve  the  ideal  performance  level  in  delivery  ratio  and 
delay  obtainable  by  epidemic  routing,  especially  as  the 
percentage  of  malicious  and  selfish  nodes  increases. 

In  the  future,  we  plan  to  investigate  other  forms  of 
message  passing  such  as  multi-copy  message  forwarding 


and  other  forms  of  attacks  by  malicious  nodes  such  as 
jamming,  forgery,  self-promoting  and  slandering  attacks. 
We  also  plan  to  consider  other  trust  metrics  such  as 
technical  competence,  betweenness,  similarity,  and 
social  tie  strengths  [6].  Another  direction  is  to 
investigate  the  best  ratio  of  Wi:  W2:  W3:  W4  or  based 
on  knowledge  about  the  application  or  network  context. 
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